From 3cd31b8aedd572360c29644a5d4c5dd83d475447 Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Tue, 24 Mar 2026 15:52:21 +0000 Subject: [PATCH 1/4] Add ADR048: Immutable Form Versioning Outlines the transition from a mutable document-based system to an immutable versioning model for published forms. This includes new API endpoints for draft and versioned forms, addressing limitations in the current system and enhancing caching, submission tracking, and user experience during form completion. --- ADR/ADR048-immutable-form-versioning.md | 63 +++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ADR/ADR048-immutable-form-versioning.md diff --git a/ADR/ADR048-immutable-form-versioning.md b/ADR/ADR048-immutable-form-versioning.md new file mode 100644 index 000000000..0cc87929a --- /dev/null +++ b/ADR/ADR048-immutable-form-versioning.md @@ -0,0 +1,63 @@ +# ADR048: Immutable Form Versioning + +Date: 2026-03-24 + +## Status + +Accepted + +## Context + +GOV.UK Forms currently uses a mutable document-based system for managing form lifecycle states. The `Form` model has an associated `FormDocument` model, with documents tagged as `draft`, `live`, or `archived`. The current API (v2) exposes these via: + +- `GET /api/v2/forms/:form_id/draft` +- `GET /api/v2/forms/:form_id/live` +- `GET /api/v2/forms/:form_id/archived` + +The `FormStateMachine` manages transitions between states (`draft`, `live`, `live_with_draft`, `archived`, `archived_with_draft`), and the `FormDocumentSyncService` synchronises the JSON content into `FormDocument` records when these transitions occur. + +This approach has several limitations: + +1. The `/live` endpoint is mutable. The content behind `/api/v2/forms/:form_id/live` changes each time a form is re-published, so consumers must always re-fetch. This prevents effective caching. +2. No explicit link between a submission and the form version it was submitted against. When a form is updated and re-published, there is no reliable way to identify which version of the form a given submission relates to. This makes it difficult to group submissions by form version or detect when a form changed between batch submission deliveries. +3. Mid-journey disruption. If a form creator publishes a new version or archives a form while a user is part-way through filling it in, the form can change or disappear mid-journey. There is no mechanism for in-progress users to continue with the version they started. + +## Decision + +We will introduce an immutable versioning model for published forms, exposed through a new v3 API. The key changes are: + +### New API endpoints + + +| Endpoint | Description | +| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | +| `GET /api/v3/forms/:form_id/draft` | Returns the current draft form document JSON (mutable, changes as the form creator edits) | +| `GET /api/v3/forms/:form_id/versions/:form_version` | Returns an immutable, versioned form document. Once created, this content never changes. | +| `GET /api/v3/forms/:form_id/latest` | Returns the latest live version of the form (a redirect or alias to the most recently published version) | + + +### Lifecycle + +- Draft state: A form being edited has a draft available at `/api/v3/forms/:form_id/draft`. This behaves similarly to today. +- Publishing (making live): When a form is made live, a new immutable version is created and assigned an incrementing version identifier (e.g. `1`, `2`, `3`). It becomes available at `/api/v3/forms/:form_id/versions/:form_version`. The `/api/v3/forms/:form_id/latest` endpoint points to this new version. +- Archiving: When a form is archived, `/api/v3/forms/:form_id/latest` and `/api/v3/forms/:form_id/draft` return `404` (or `410 Gone`). However, all previously published versions remain available at `/api/v3/forms/:form_id/versions/:form_version` because they are immutable. + +### Content removal + +Immutability prevents deletion as part of normal operations. A separate process will be needed for exceptional cases where published content genuinely must be removed (e.g. GDPR erasure). + +## Consequences + +### Positive + +- Cacheable published forms. Versioned form documents at `/api/v3/forms/:form_id/versions/:form_version` can be cached indefinitely by consumers (e.g. forms-runner, CDNs), significantly reducing load on the API and improving latency for form rendering. +- Submissions linked to form versions. Each submission can explicitly reference the `form_version` it was submitted against. This enables grouping submissions by version and helps people processing submissions to know exactly which questions were asked. +- Graceful publishing. Users who have already started filling in a form can continue submitting against the version they began with, even if the form creator publishes a new version in the meantime. +- Graceful archiving. When a form is archived, new users can be prevented from starting the form while users who have already started can finish and submit against the version they are on. +- Reverting to previous versions. Preserving all published versions makes it easier to implement future features allowing form creators to revert to a previous version of a form. +- Audit trail. The full history of published form versions is preserved and addressable. + +### Negative + +- Migration and data model complexity. Existing consumers (primarily forms-runner) will need to be updated to use the v3 API, requiring a transition period running both APIs in parallel. The `FormDocument` model (or a new model) will need to support version numbering alongside or in place of the current tag-based system (`draft`, `live`, `archived`). + From d00263cd8bac40baf24eec5cf7e6000cb4bf06f3 Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Wed, 1 Apr 2026 17:32:04 +0100 Subject: [PATCH 2/4] Update ADR048 about hard submission deadlines Added a section on hard submission deadlines to ADR048, outlining the need for strict cutoff times for certain forms. This change clarifies that archiving will no longer serve as a method to prevent future submissions and suggests a new implementation approach for managing submission deadlines. --- ADR/ADR048-immutable-form-versioning.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ADR/ADR048-immutable-form-versioning.md b/ADR/ADR048-immutable-form-versioning.md index 0cc87929a..b05cf9e25 100644 --- a/ADR/ADR048-immutable-form-versioning.md +++ b/ADR/ADR048-immutable-form-versioning.md @@ -42,6 +42,12 @@ We will introduce an immutable versioning model for published forms, exposed thr - Publishing (making live): When a form is made live, a new immutable version is created and assigned an incrementing version identifier (e.g. `1`, `2`, `3`). It becomes available at `/api/v3/forms/:form_id/versions/:form_version`. The `/api/v3/forms/:form_id/latest` endpoint points to this new version. - Archiving: When a form is archived, `/api/v3/forms/:form_id/latest` and `/api/v3/forms/:form_id/draft` return `404` (or `410 Gone`). However, all previously published versions remain available at `/api/v3/forms/:form_id/versions/:form_version` because they are immutable. +### Hard submission deadlines + +For legal or policy reasons, some forms may need a strict cutoff time after which no new submissions are permitted. Archiving would no longer act as a way to cut off in-progress journeys and prevent any future submissions. + +However, this behaviour can be re-implemented. For example, this could be a deadline timestamp attribute on the form that `forms-runner` checks before displaying the form or accepting a submission. This is more explicit and reliable than using archiving as a proxy for a hard stop. It would also allow form owners to schedule a cutoff in advance. + ### Content removal Immutability prevents deletion as part of normal operations. A separate process will be needed for exceptional cases where published content genuinely must be removed (e.g. GDPR erasure). @@ -60,4 +66,5 @@ Immutability prevents deletion as part of normal operations. A separate process ### Negative - Migration and data model complexity. Existing consumers (primarily forms-runner) will need to be updated to use the v3 API, requiring a transition period running both APIs in parallel. The `FormDocument` model (or a new model) will need to support version numbering alongside or in place of the current tag-based system (`draft`, `live`, `archived`). +- Archiving no longer acts as a way to cut off in-progress journeys and any future submissions. Some forms may rely on this behaviour for legal or policy reasons. We would need to re-implement this behaviour in a new way. From 8220af56d4892d7043a65887abcb6de1564c86b1 Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Wed, 1 Apr 2026 17:44:42 +0100 Subject: [PATCH 3/4] Update ADR048 about linking submissions to form versions Added a section detailing how each submission will now store the `form_version` it was made against, helping proccess handle changes to the form. --- ADR/ADR048-immutable-form-versioning.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ADR/ADR048-immutable-form-versioning.md b/ADR/ADR048-immutable-form-versioning.md index b05cf9e25..c0fc87f4a 100644 --- a/ADR/ADR048-immutable-form-versioning.md +++ b/ADR/ADR048-immutable-form-versioning.md @@ -42,11 +42,15 @@ We will introduce an immutable versioning model for published forms, exposed thr - Publishing (making live): When a form is made live, a new immutable version is created and assigned an incrementing version identifier (e.g. `1`, `2`, `3`). It becomes available at `/api/v3/forms/:form_id/versions/:form_version`. The `/api/v3/forms/:form_id/latest` endpoint points to this new version. - Archiving: When a form is archived, `/api/v3/forms/:form_id/latest` and `/api/v3/forms/:form_id/draft` return `404` (or `410 Gone`). However, all previously published versions remain available at `/api/v3/forms/:form_id/versions/:form_version` because they are immutable. +### Linking submissions to form versions + +Each submission will store the `form_version` it was made against, and that version information will be exposed to downstream form processors. This makes the version of the form explicit at the point of processing, instead of requiring processors to infer changes from the submission payload shape. + ### Hard submission deadlines For legal or policy reasons, some forms may need a strict cutoff time after which no new submissions are permitted. Archiving would no longer act as a way to cut off in-progress journeys and prevent any future submissions. -However, this behaviour can be re-implemented. For example, this could be a deadline timestamp attribute on the form that `forms-runner` checks before displaying the form or accepting a submission. This is more explicit and reliable than using archiving as a proxy for a hard stop. It would also allow form owners to schedule a cutoff in advance. +This behaviour should be re-implemented. For example, this could be a deadline timestamp attribute on the form that `forms-runner` checks before displaying the form or accepting a submission. This is more explicit and reliable than using archiving as a proxy for a hard stop. It would also allow form owners to schedule a cutoff in advance. ### Content removal From 51df71a1a418cbdac13267933e4e5360cccc707e Mon Sep 17 00:00:00 2001 From: Sean Rankine Date: Thu, 2 Apr 2026 15:27:39 +0100 Subject: [PATCH 4/4] Update ADR048 about schema versioning Added a section detailing schema changes --- ADR/ADR048-immutable-form-versioning.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ADR/ADR048-immutable-form-versioning.md b/ADR/ADR048-immutable-form-versioning.md index c0fc87f4a..6b6328872 100644 --- a/ADR/ADR048-immutable-form-versioning.md +++ b/ADR/ADR048-immutable-form-versioning.md @@ -46,6 +46,14 @@ We will introduce an immutable versioning model for published forms, exposed thr Each submission will store the `form_version` it was made against, and that version information will be exposed to downstream form processors. This makes the version of the form explicit at the point of processing, instead of requiring processors to infer changes from the submission payload shape. +### Schema changes + +Consumers should always be able to treat `/api/v3/forms/:form_id/versions/:form_version` as a stable representation of the questions, structure, and behaviour that were published at that point in time. + +To handle changes in how form documents are represented, the form document should include an explicit `schema_version`. This makes it clear to consumers how to interpret the document while allowing the published content itself to remain immutable. + +In practice, schema changes should usually be backwards-compatible so consumers can continue to handle older and newer documents. Breaking schema changes should be reserved for the introduction of a new API version. + ### Hard submission deadlines For legal or policy reasons, some forms may need a strict cutoff time after which no new submissions are permitted. Archiving would no longer act as a way to cut off in-progress journeys and prevent any future submissions. @@ -71,4 +79,5 @@ Immutability prevents deletion as part of normal operations. A separate process - Migration and data model complexity. Existing consumers (primarily forms-runner) will need to be updated to use the v3 API, requiring a transition period running both APIs in parallel. The `FormDocument` model (or a new model) will need to support version numbering alongside or in place of the current tag-based system (`draft`, `live`, `archived`). - Archiving no longer acts as a way to cut off in-progress journeys and any future submissions. Some forms may rely on this behaviour for legal or policy reasons. We would need to re-implement this behaviour in a new way. +- Schema compatibility discipline. We would need to keep schema changes backwards-compatible within the API version wherever possible, and treat breaking schema changes as part of a future API version.